fix(JWT): set iat to -30s as described in README(#18)

octokit · Sep 2, 2019 · a966613 · a966613
1 parent 31e2fb9
commit a966613
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/src/get-app-authentication.ts b/src/get-app-authentication.ts
@@ -1,7 +1,11 @@
 import jsonwebtoken from "jsonwebtoken";
 
 export function getAppAuthentication(id: number, privateKey: string) {
-  const now = Math.floor(Date.now() / 1000);
+  // When creating a JSON Web Token, it sets the "issued at time" (iat) to 30s
+  // in the past as we have seen people running situations where the GitHub API
+  // claimed the iat would be in future. It turned out the clocks on the
+  // different machine were not in sync.
+  const now = Math.floor(Date.now() / 1000) - 30;
   const expiration = now + 60 * 10; // JWT expiration time (10 minute maximum)
   const payload = {
     iat: now, // Issued at time
@@ -17,6 +21,6 @@ export function getAppAuthentication(id: number, privateKey: string) {
     type: "app",
     token: JWT,
     appId: id,
-    expiresAt: new Date(expiration).toISOString()
+    expiresAt: new Date(expiration * 1000).toISOString()
   };
 }
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -34,7 +34,7 @@ x//0u+zd/R/QRUzLOw4N72/Hu+UG6MNt5iDZFCtapRaKt6OvSBwy8w==
 -----END RSA PRIVATE KEY-----`;
 // see https://runkit.com/gr2m/reproducable-jwt
 const BEARER =
-  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjAsImV4cCI6NjAwLCJpc3MiOjF9.UYfZtE742hkMV5cKMwp6-gVUvsWnUGoCQkl2UZZEkN8-lgvqzq5V8e5KtTrJxAAgcK7Yn1ViAlDUpwc9hZxrZ-gLaR10GR2hubte3OgkRDH-m_lCQ1Sgb9VQpZnagh_PMyRwphOw3uDXU3D7h2jL86UP3Ora8i9SRgXLq8X_2R9jtr2FDT1wtmcOLdyIc0Q7c_4X1uIPNjZS2UY04QBT7VWePk81EGdJAVQ_nEygXIuWOpMwZvtD0K1hzqQQM9GyV2QOwFSvFLtdbMVyld6Qvs8eEA5VS6Y4vTrGuyUF_lH5XlPdfAFAyrzsGP4inLq3tq6y4mjsx3YIF0P8DcMNPw";
+  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOi0zMCwiZXhwIjo1NzAsImlzcyI6MX0.q3foRa78U3WegM5PrWLEh5N0bH1SD62OqW66ZYzArp95JBNiCbo8KAlGtiRENCIfBZT9ibDUWy82cI4g3F09mdTq3bD1xLavIfmTksIQCz5EymTWR5v6gL14LSmQdWY9lSqkgUG0XCFljWUglEP39H4yeHbFgdjvAYg3ifDS12z9oQz2ACdSpvxPiTuCC804HkPVw8Qoy0OSXvCkFU70l7VXCVUxnuhHnk8-oCGcKUspmeP6UdDnXk-Aus-eGwDfJbU2WritxxaXw6B4a3flTPojkYLSkPBr6Pi0H2-mBsW_Nvs0aLPVLKobQd4gqTkosX3967DoAG8luUMhrnxe8Q";
 
 let clock: Clock;
 beforeEach(() => {
@@ -53,7 +53,7 @@ test("README example for app auth", async () => {
     type: "app",
     token: BEARER,
     appId: 1,
-    expiresAt: "1970-01-01T00:00:00.600Z"
+    expiresAt: "1970-01-01T00:09:30.000Z"
   });
 });